[CVE-2006-0106] Wine is vulnerable to SetAbortProc WMF bug

Debian Bug report logs - #346197
[CVE-2006-0106] Wine is vulnerable to SetAbortProc WMF bug

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: [CVE-2005-4560] Wine is vulnerable to SetAbortProc WMF bug

Date: Fri, 06 Jan 2006 11:06:46 +0100

Package: wine
Version: 0.9-1
Severity: grave
Tags: security

H D Moore mentioned that Wine contains vulnerable code similar to
Microsoft Windows:

<http://lists.immunitysec.com/pipermail/dailydave/2006-January/002806.html>

The fix seems to be to remove that case label.

Message #10 received at 346197@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs3@bonedaddy.net>

To: 346197@bugs.debian.org

Subject: wine: patch for CVE-2005-4560

Date: Sat, 07 Jan 2006 10:43:27 +0800

[Message part 1 (text/plain, inline)]

Here are a couple of patches for CVE-2005-4560
http://www.winehq.org/pipermail/wine-patches/2006-January/023208.html
http://www.winehq.org/pipermail/wine-patches/2006-January/023232.html

Looks like the latter was committed to wine CVS:
http://cvs.winehq.org/cvsweb/wine/dlls/gdi/metafile.c.diff?r1=1.11&r2=1.12

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 346197@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@mitre.org>

To: fw@deneb.enyo.de, 346197@bugs.debian.org, pabs3@bonedaddy.net

Subject: different CVE for wine SETABORTPROC WMF issue

Date: Mon, 9 Jan 2006 14:11:22 -0500 (EST)

All,

I have assigned CVE-2006-0106 for the WMF issue in Wine.  This is a
separate candidate than CVE-2005-4560.  This could justifiably be
argued as a design problem in WMF itself, but lately CVE has been
splitting these issues - the rationale being "if it's a design error
then each implementation has its own responsibility to work around
it."

- Steve



======================================================
Name: CVE-2006-0106
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0106
Reference: MLIST:[Dailydave] 20060105 WMF goes away :<
Reference: URL:http://lists.immunitysec.com/pipermail/dailydave/2006-January/002806.html
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197
Reference: FRSIRT:ADV-2006-0098
Reference: URL:http://www.frsirt.com/english/advisories/2006/0098
Reference: SECUNIA:18323
Reference: URL:http://secunia.com/advisories/18323

gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions,
implement the SETABORTPROC GDI Escape function call for Windows
Metafile (WMF) files, which allows attackers to execute arbitrary
code, the same vulnerability as CVE-2005-4560 but in a different
codebase.

Message #22 received at 346197-close@bugs.debian.org (full text, mbox, reply):

From: Ove Kaaven <ovek@arcticnet.no>

To: 346197-close@bugs.debian.org

Subject: Bug#346197: fixed in wine 0.9.2-1

Date: Mon, 09 Jan 2006 14:47:17 -0800

Source: wine
Source-Version: 0.9.2-1

We believe that the bug you reported is fixed in the latest version of
wine, which is due to be installed in the Debian FTP archive:

libwine-alsa_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-alsa_0.9.2-1_i386.deb
libwine-arts_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-arts_0.9.2-1_i386.deb
libwine-capi_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-capi_0.9.2-1_i386.deb
libwine-cms_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-cms_0.9.2-1_i386.deb
libwine-dev_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-dev_0.9.2-1_i386.deb
libwine-esd_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-esd_0.9.2-1_i386.deb
libwine-gl_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-gl_0.9.2-1_i386.deb
libwine-jack_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-jack_0.9.2-1_i386.deb
libwine-ldap_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-ldap_0.9.2-1_i386.deb
libwine-nas_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-nas_0.9.2-1_i386.deb
libwine-print_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-print_0.9.2-1_i386.deb
libwine-twain_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine-twain_0.9.2-1_i386.deb
libwine_0.9.2-1_i386.deb
  to pool/main/w/wine/libwine_0.9.2-1_i386.deb
wine-utils_0.9.2-1_i386.deb
  to pool/main/w/wine/wine-utils_0.9.2-1_i386.deb
wine_0.9.2-1.diff.gz
  to pool/main/w/wine/wine_0.9.2-1.diff.gz
wine_0.9.2-1.dsc
  to pool/main/w/wine/wine_0.9.2-1.dsc
wine_0.9.2-1_i386.deb
  to pool/main/w/wine/wine_0.9.2-1_i386.deb
wine_0.9.2.orig.tar.gz
  to pool/main/w/wine/wine_0.9.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 346197@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ove Kaaven <ovek@arcticnet.no> (supplier of updated wine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  9 Jan 2006 13:51:33 -0500
Source: wine
Binary: libwine-print libwine-nas libwine-gl libwine-esd libwine-twain wine libwine-arts libwine-jack libwine-cms libwine libwine-ldap wine-utils libwine-dev libwine-alsa libwine-capi
Architecture: source i386
Version: 0.9.2-1
Distribution: unstable
Urgency: low
Maintainer: Ove Kaaven <ovek@arcticnet.no>
Changed-By: Ove Kaaven <ovek@arcticnet.no>
Description: 
 libwine    - Windows API Implementation (Library)
 libwine-alsa - Windows API Implementation (ALSA Sound Module)
 libwine-arts - Windows API Implementation (aRts Sound Module)
 libwine-capi - Windows API Implementation (ISDN Module)
 libwine-cms - Windows API Implementation (Color Management Module)
 libwine-dev - Windows API Implementation (Development files)
 libwine-esd - Windows API Implementation (EsounD Sound Module)
 libwine-gl - Windows API Implementation (OpenGL Module)
 libwine-jack - Windows API Implementation (JACK Sound Module)
 libwine-ldap - Windows API Implementation (LDAP Module)
 libwine-nas - Windows API Implementation (NAS Sound Module)
 libwine-print - Windows API Implementation (Printing Module)
 libwine-twain - Windows API Implementation (Scanner Module)
 wine       - Windows API Implementation (Binary Loader)
 wine-utils - Windows API Implementation (Utilities)
Closes: 346197
Changes: 
 wine (0.9.2-1) unstable; urgency=low
 .
   * New upstream release 0.9.2.
     - Winelib Explorer app (just a wrapper around winefile for now).
     - Debugger cleanups and improvements.
     - Many wininet fixes.
     - Better autogenerated API manpages.
     - A bunch of Korean translations.
     - Lots of bug fixes.
   * This version was released Nov 22, 2005.
   * Installed the explorer program into wine-utils.
   * Renamed wineeject back to eject, and decided to go with upstream's
     way to avoid the naming conflict: launch with "wine eject", not
     with a wrapper script in /usr/bin.
   * Grabbed the WMF patch by Marcus Meissner from Wine CVS.
     It suppresses the dispatch of SETABORTPROC escapes from metafile
     records (dlls/gdi/metafile.c). Some security-minded people seem to
     want this to be fixed right away, even though it's obvious Wine
     could never be a 100% secure program.
     Closes: #346197.
Files: 
 719c5b0f7ea7d226b1e1d37dbf315165 1964 otherosfs optional wine_0.9.2-1.dsc
 6df03fccf995372660022b5e7b8edcdc 13190024 otherosfs optional wine_0.9.2.orig.tar.gz
 875e20fb2d458133174da96eb698381d 56232 otherosfs optional wine_0.9.2-1.diff.gz
 80ffd57edfd53e52308f0f0c8ae8398e 338888 otherosfs optional wine_0.9.2-1_i386.deb
 ae0051fffb642f9c475f6780622088a0 3114044 libdevel optional libwine-dev_0.9.2-1_i386.deb
 f01f71157d1061f9630aaa0ad875db3a 6783492 libs optional libwine_0.9.2-1_i386.deb
 69d10774a8d85f5189784375f7d34a16 96220 libs optional libwine-alsa_0.9.2-1_i386.deb
 182f0bf504593d4f584b94a50c6b43f4 70026 libs optional libwine-arts_0.9.2-1_i386.deb
 f30cd2dae163683cbbf683f27163cfa0 60464 libs optional libwine-capi_0.9.2-1_i386.deb
 57fdede700f357c4487496fa82e20a97 68802 libs optional libwine-cms_0.9.2-1_i386.deb
 c189fb08b948f62e292afbf61a951236 70092 libs optional libwine-esd_0.9.2-1_i386.deb
 10e6308696bbbdd005b6d4c382d807e8 572968 libs optional libwine-gl_0.9.2-1_i386.deb
 6c9caf10dfc5492388bf9d049018a831 72602 libs optional libwine-jack_0.9.2-1_i386.deb
 201ba0204bc96a73e92763887690e80d 107932 libs optional libwine-ldap_0.9.2-1_i386.deb
 bdfd15912df0ddfc70e4f7180d4f6847 66832 libs optional libwine-nas_0.9.2-1_i386.deb
 fd2e0a51a364dafd71dae9c070de9b1a 165818 libs optional libwine-print_0.9.2-1_i386.deb
 c379d97b6f7b8eb0ae5eddde58b85140 69794 libs optional libwine-twain_0.9.2-1_i386.deb
 3b671ddcdc6ab063f8ed332c28ca4460 602870 otherosfs optional wine-utils_0.9.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDwuVaA+GMa4PlEQ8RAn8DAKDGpvFe8b21hGM9/kV/mQaDlzta/wCgqveL
9T23SJAY1HghTbsNz+d4XBE=
=DO4n
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.